💥 $225K HIPAA Hit, Wise Faces State Heat, and JPMorgan Puts a Price on Data | Marketing’s Most Wanted

Hi Marketing Wranglers,

The compliance and marketing world isn’t slowing down this week. A $225K HIPAA penalty shows how a “small” coding mistake can turn into a regulatory nightmare. Wise finds out the hard way that state regulators are more than ready to fill the CFPB’s shoes. And JPMorgan just put a price tag on banking data, signaling the end of the free data era for fintechs.

Let’s get started.

🚨 In This Week’s Issue

💸  $225K HIPAA Settlement: Deer Oaks pays big for a coding slip that exposed sensitive patient data for 17 months.

💥 State Regulators Pick Up Federal Slack On Wise: AML blind spots spark a multi-state crackdown after a federal pullback.

🏦 JPMorgan’s Pricey Data Play: A new “data tariff” could rewrite open banking economics and squeeze fintech margins.

New Slack Community:
Marketing, Compliance, and Legal are all feeling the heat—so we’re launching a community space on Slack to swap updates, share insights, and stay ahead together. Join the community here.

Warrant Partner Directory

Need marketing, compliance, or legal help? Visit the Warrant Directory for a curated list of experts we recommend.

💸 $225K HIPAA Settlement: When "Oops" Becomes Expensive

The Department of Health and Human Services and Office for Civil Rights (OCR) just handed Deer Oaks (long-term care behavioral health provider) a $225,000 reality check after patient discharge forms sat exposed online for over a year.

But here's the kicker: this wasn't some sophisticated cyber attack. It was a simple coding error tied to an abandoned

pilot project.

The Anatomy of a Privacy Disaster

Picture this: You're a behavioral health provider serving long-term care facilities. Patient discharge forms (complete with names, birth dates, diagnoses, and patient IDs) are accidentally made public through a coding glitch. The documents remain accessible for 17 months before anyone notices.

Then, as if the universe has a sense of irony, ransomware attackers strike in August 2023, compromising data from more than 171,000 individuals. At this point, Office for Civil Rights (OCR) investigators aren't just knocking, they're breaking down the door.

What they found was a compliance nightmare:

• No comprehensive HIPAA risk analysis (a legal requirement, not a suggestion)

• Unauthorized disclosure of protected health information

• Systems handling sensitive data without proper oversight

The Real Cost: More Than Money

Beyond the quarter-million-dollar penalty, Deer Oaks now faces a regulatory straightjacket with Mandatory corrective actions including:

• Complete risk analysis across all systems handling electronic health data

• Risk mitigation to "reasonable and appropriate" levels

• New HIPAA-compliant policies with actual enforcement

• Annual staff training (because apparently the first time didn't stick)

Translation: Stop treating privacy compliance like a one-time homework assignment.

Why Marketers Should Care

This isn't just a compliance story, it's a brand story. When you're handling vulnerable populations like elderly care residents, trust isn't just important; it's everything.

• Privacy as a Competitive Advantage: Organizations that proactively showcase strong data protection (through third-party certifications, transparency reports, or clear privacy commitments) can differentiate themselves in crowded markets. Privacy isn't just about avoiding fines; it's about earning customer confidence.

• Crisis Communication Reality: When breaches happen, your marketing and legal teams better be best friends. Messaging must balance transparency with regulatory precision, because one wrong statement can trigger additional penalties.

The Bigger Picture

This settlement marks OCR's 17th HIPAA enforcement action in 2025, totaling over $7.6 million in penalties (and we're only halfway through the year). The message is crystal clear: data privacy enforcement is accelerating, and regulators aren't in a forgiving mood.

Whether you're in healthcare, finance, or any industry handling sensitive data, this case serves as an expensive reminder that privacy compliance isn't optional.

What's your organization's last risk analysis date? If you have to think about it, that's probably your answer.

More details on The HIPAA Journal.

💥Wise Gets Schooled: When State Regulators Pick Up Federal Slack

Global payments giant Wise just learned a costly lesson about regulatory whiplash. First, the Consumer Financial Protection Bureau slammed them with a nearly $2.5 million penalty for "illegal remittance practices." Then, in a plot twist worthy of a regulatory thriller, the CFPB slashed that fine to just $45,000. Victory lap time? Not quite.

While Wise was celebrating their federal reprieve, state regulators were sharpening their knives. The result? A multi-state enforcement action that exposed gaping holes in Wise's compliance infrastructure and sent a clear message: when federal oversight retreats, state regulators advance.

The Regulatory Bait and Switch

Here's how the dominoes fell:

January: CFPB hits Wise with $2.5 million for advertising inaccurate fees and failing to properly disclose currency exchange rates. Classic consumer protection violations. (That could have been avoided with Warrant)

April: CFPB announces it's scaling back oversight of nonbanks, pushing responsibility to state regulators.

May: CFPB mysteriously cuts Wise's penalty to $45,000 (though they still must set aside $450,000 for consumer compensation).

This week: Multi-state examination results drop, revealing serious anti-money laundering deficiencies spanning July 2022 to September 2023.

The timing isn't coincidental. State regulators saw the federal pullback coming and were ready to pounce.

The Real Problem: Money Laundering Blind Spots

State regulators didn't just find paperwork issues. They uncovered fundamental flaws in how Wise monitors for money laundering, terrorism financing, and other illegal activities.

What went wrong:

• Failed to conduct independent AML program reviews at appropriate frequency

• Inadequate procedures for investigating suspicious transactions

• Weak controls around high-risk accounts

• Poor reporting mechanisms for suspicious activity

What happens next:

• Independent monitor oversight (translation: expensive babysitting)

• Strengthened AML controls across all operations

• Enhanced suspicious activity detection and reporting

• Ongoing state supervision

Translation: federal agencies may retreat, but state regulators are coordinating like never before.

The Marketing Minefield

This case exposes two critical risks for financial services marketers:

Fee Transparency Traps: Wise's original CFPB violation stemmed from misleading fee disclosures and unclear exchange rate messaging. Even unintentional overstating of savings or downplaying of costs can trigger enforcement action. Product messaging must align precisely with regulatory expectations, not just marketing goals.

The Trust Tax: Once flagged for weak AML controls, companies face long-term reputational damage. Headlines about "money laundering risks" and "terrorism financing" stick around long after penalties are paid. Just ask Block (Cash App's parent company), which paid over $250 million for similar AML violations earlier this year.

The New Regulatory Circus

Wise's experience reveals the new reality for financial services companies: regulatory oversight isn't disappearing, it's fragmenting. Federal agencies may be pulling back, but state regulators are stepping up with unprecedented coordination.

The implications are stark:

• Compliance teams must now monitor 50+ state regulatory agendas, not just federal priorities

• Marketing messages must satisfy both federal and state disclosure requirements

• AML and risk management programs face increased scrutiny from multiple angles

• Operational gaps can trigger both compliance nightmares and PR disasters

Bottom line: The regulatory landscape isn't getting simpler, it's getting more complex. Companies that assumed federal pullback meant less oversight are learning otherwise. State regulators aren't just filling gaps; they're expanding the compliance battlefield.

Check out more details on Banking Dive.

🏦 JPMorgan’s Data Fees: A New “Digital Tariff” That Could Reshape Open Banking

Back in April 2024, JPMorgan CEO Jamie Dimon fired a warning shot in his annual shareholder letter:

The message was crystal clear: banks are done giving away customer data for free. His solution? Make them pay for it.

That warning just became reality. JPMorgan is now telling fintechs they'll have to pay to access customer bank information, a move that could generate hundreds of millions for the bank while fundamentally reshaping how fintech companies operate.

The Data Tariff Era

Think of this as a tariff for the digital age. We’ve all become super familiar with tariffs lately after all.

Just as importing goods carries a tax, importing bank data to build fintech products now comes with a financial "tax." For fintechs operating on razor-thin margins, the economics could be devastating. Reports suggest fees might equal multiples of the actual transaction values, turning profitable services into loss leaders overnight.

Data aggregators like Plaid, which connect fintechs to banks instead of requiring direct integrations, face existential risk. JPMorgan serves 80 million customers across retail and commercial lines, making its data pipeline critical to most U.S. fintechs. If other major banks follow suit, entire business models built on free or cheap data access could crumble.

The market responded immediately on Monday, July 14:

• Affirm's shares dropped nearly 1%

• Sezzle slipped 1.3%

• PayPal surged 3.5%

The message is clear: some fintechs are better positioned to absorb these costs than others.

The Regulatory Wild Card

This fee structure emerges as Rule 1033 (our favorite open banking rule) hangs in legal limbo. The Consumer Financial Protection Bureau's proposal to guarantee free consumer data access for fintechs was designed to support open banking, but it's facing fierce pushback from banks who argue the CFPB overstepped its authority.

The Trump administration's CFPB has filed court papers claiming the rule wrongly forces banks to share consumer data with commercial actors through costly and complex systems. If Rule 1033 gets vacated, banks will have even more freedom to impose fees on third-party access.

For fintechs built on free or low-cost data sharing, this scenario could force dramatic business model changes or push costs directly to consumers.

The Consumer Cost Calculation

These fees won't stop with fintechs. Costs are expected to flow down to end users in various forms. Recent PYMNTS Intelligence research found that consumers are already willing to pay more for faster transactions. Nearly half of those surveyed said they would accept higher fees for instant payments:

• 27% willing to pay slightly more

• 20% willing to pay significantly more

But for fintechs with low margins or negative cash flow (particularly those in the PYMNTS FinTech IPO Index), increased costs could trigger a deeper reckoning. Startups may need to pivot, consolidate, or completely overhaul pricing strategies to survive.

The Fragmentation Risk

Plaid CEO Zach Perret has warned that regulatory inconsistency could create chaos. He's cited cases where banks have blocked data access for cryptocurrency applications, forcing consumers to switch banks entirely. Without clear, uniform rules, the future of open banking in the U.S. could depend on individual bank policies rather than consistent standards.

The stakes are significant. Only about 1 in 10 consumers currently use open banking payments, according to PYMNTS Intelligence. If fees rise sharply, adoption could slow further, potentially undermining years of progress in data-driven financial innovation.

What This Means for the Industry

JPMorgan's move represents more than a revenue grab. It's a fundamental shift in how banks view their data assets. Customer information is no longer just a byproduct of banking relationships; it's a valuable commodity that should be monetized.

For fintechs: The free data era is ending. Companies need to evaluate whether their unit economics can support paying for data access or if they need to find alternative approaches to customer acquisition and service delivery.

For consumers: Expect higher fees or reduced service quality as fintechs pass along increased costs. The "free" fintech services of the past may become premium offerings.

For the industry: This could accelerate consolidation as smaller fintechs struggle to afford data access while larger players gain competitive advantages through scale.

More details on PYMNTS.

💬 We’re launching a community for Marketing, Compliance, and Legal teams to stay up to date on regulatory changes—and help each other navigate them.

→ Join the community here.